Monday, January 21, 2008

I've been asked more than just a few questions about Microsoft Excel's new vulnerability, so I wanted to lay a few of the issues out on the table.

Some people have essentially declared this a non-issue since it applies only to older versions and have been targeted attacks only.

It has only been seen in the wild with specific targets so far. It is only a matter of time before this is leveraged in a botnet campaign. How many companies and individual users block excel attachments already? How realistic is it for any organization to block incoming Excel attachments? We have seen how the bad guys have used password protected ZIP files to bypass filters. Now the spammers have started using PDF and JPG files to encode their material to avoid filters. Excel is so common, it is only a matter of time before a larger application of this vulnerability is realized.

Specifically, remember how Bugbear robbed filenames from the previous victim's hard drive? What happens when a new vulnerable victim gets a familiar named file from a familiar email address? Even if Outlook has a barrage of confirmation dialogs, the user will override them.

As for underplaying the issue as impacting legacy versions of Excel only--just define legacy. How many people out there upgrade to the latest Microsoft Office version each time a new one is released? Personally, Office 2003 and 2007 have quite a few value added features I recognize as valuable, but many folks need the basics and are quite happy with Office 2002 (XP) or earlier. Also, how many organizations have rolled out sp3 for Office 2003? Most that I am involved with have, but these are the issues to ask yourself when you determine your risk.

The key things to remember is that it is remotely exploitable, there is a key factor that the users will tend to open up important looking Excel spreadsheets anyway, as well as there is little information about a patch (Microsoft's blog announcement claimed that later versions simply did not have the vulnerable code in them--it's not like they found and fixed the flaw yet).

For most users, the best defense for this vulnerability right now is to Upgrade to Office 2003 and patch to Service Pack 3 or just use an alternative Office product such as Open Office. To combat this type of vulnerability with Microsoft Office family products, install the compatability pack and MOICE. Instructions are available under "Workarounds" at http://microsoft.com/technet/secuirty/advisory/947563.mspx.

Be sure to keep your operating system and application patched as much as possible to minimize the risk and impact of file and protocol parsing vulnerabilities. With application convergence, the risk of any vulnerability is increasing. There is some wisdom in what my friend Zeke told me last Friday, "Paranoia is a gift, not a disorder."

Update: Government Computer News article quoting myself and my friend and associate John Strand is below